U.S. Sanctions North Korean Crypto Network later than $2B Theft

OFAC Targets North Korean Bankers and Front Companies

The U.S. Treasury has imposed new sanctions on a network of North Korean banks and officials accused of laundering millions of dollars in cryptocurrency stolen through state-backed cyberattacks. The Office of Foreign Assets Control (OFAC) said Tuesday it designated eight individuals and two entities for laundering funds derived from ransomware and illicit IT work schemes that finance Pyongyang’s nuclear and missile programs.

According to OFAC, the group moved at least $5.3 million in digital assets through sanctioned institutions, part of more than $2 billion in crypto stolen by North Korean hackers so far in 2025, based on data from blockchain analytics firm Elliptic. The sanctioned entities include First Credit Bank, Ryujong Credit Bank, and the Korea Mangyongdae Computer Technology Company (KMCTC).

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John K. Hurley, Under Secretary of the Treasury for Terrorism and Financial Intelligence. He added that the latest designations target the “financial arteries” supporting the country’s cyber operations.

Investor Takeaway

Elliptic and Treasury Trace Laundered Crypto

Elliptic’s research shows North Korea-linked groups have expanded from targeting platforms to using complex networks of shell companies and over-the-counter brokers in China and Russia. Two bankers, Jang Kuk Chol and Ho Jong Son, allegedly handled at least $5.3 million in stolen crypto tied to First Credit Bank. The funds originated from ransomware attacks on U.S. victims and remittances from overseas North Korean IT workers operating under false identities.

OFAC said both men were designated under multiple executive orders covering cyber-enabled activities and state revenue operations. The sanctions freeze their U.S.-linked assets and prohibit Americans from doing business with them or the affiliated institutions.

KMCTC, another target of the sanctions, operates IT worker delegations in the Chinese cities of Shenyang and Dandong. The Treasury said its president, U Yong Su, used Chinese nationals as banking proxies to mask the origin of earnings from sanctioned North Korean tech workers abroad. The company is accused of routing crypto through intermediaries to fund the regime’s defense programs.

Use of AI and Social Engineering in Attacks

Officials and cybersecurity researchers say North Korea’s hacking networks have become more sophisticated, using artificial intelligence to scale phishing and malware campaigns. Treasury has linked North Korean hackers to large-scale intrusions on crypto firms and decentralized platforms, combining AI-generated profiles with tailored social engineering tactics to breach targets.

These operations, often run by the Lazarus Group and its affiliates, rely on automated laundering tools that move funds across multiple blockchains and platforms. The use of sanctioned foreign banks has further complicated tracing efforts, allowing North Korea to recycle stolen crypto into hard currency or excellents used by its defense sector.

Investor Takeaway

Washington Expands Financial Pressure

The sanctions on Ryujong Credit Bank extend a years-long effort by Washington to block North Korea’s access to the global banking system. The bank has been accused of handling transfers for entities already blacklisted for sanctions evasion and crypto laundering. OFAC said the coordinated actions are part of a broader campaign to “cut off illicit revenue streams” tied to cyber operations and weapons development.

Analysts say the growing volume of stolen crypto underscores Pyongyang’s pivot to digital finance as sanctions have tightened on traditional trade. In the first eight months of 2025 alone, Elliptic estimates more than $2 billion worth of digital assets were taken from platforms and decentralized protocols linked to Western and Asian markets.

While enforcement has improved, the report warned that North Korea’s use of intermediaries in China and Russia continues to limit the effectiveness of sanctions. Regulators are now considering additional measures targeting crypto mixers and OTC desks that process transactions from DPRK-controlled wallets.

Tuesday’s designations bring the number of North Korean crypto-linked entities under U.S. sanctions to more than 70. Treasury officials said the department will continue working with partners in Europe and Asia to track and seize stolen funds.